EUVD-2025-17578
GHSA-g4cf-pp4x-hqgw
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
Analysis
HAX CMS PHP versions prior to 11.0.3 contain an OS command injection vulnerability in the gitImportSite functionality where insufficient input validation on user-supplied URL parameters allows authenticated attackers to bypass filter_var and strpos checks and execute arbitrary OS commands via the set_remote function's proc_open call. An authenticated attacker can leverage this to execute arbitrary commands and exfiltrate output, representing a critical post-authentication code execution risk with high real-world impact due to full OS command execution capability.
Technical Context
The vulnerability exists in HAX CMS PHP's git import functionality, specifically in how the application handles URL input in POST requests. The application attempts to validate user input using PHP's `filter_var` function (typically FILTER_VALIDATE_URL) and `strpos` string matching, which are insufficient validators for preventing command injection. The root cause (CWE-78: Improper Neutralization of Special Elements used in an OS Command) occurs because user-controlled input is passed unsanitized to `proc_open`, a PHP function that directly executes OS commands via shell interpretation. The `set_remote` function receives the attacker-crafted URL and passes it into the process execution pipeline without proper escaping, allowing shell metacharacters to break out of intended command boundaries. This is a classic command injection pattern where validation logic (checking for valid URL format) is insufficient to prevent command syntax injection.
Affected Products
HAX CMS PHP versions prior to 11.0.3. The affected component is the `gitImportSite` functionality, specifically the POST request handler for git URL imports and the `set_remote` function. CPE would be: cpe:2.3:a:hax_cms:hax_cms:*:*:*:*:*:php:*:* with version constraint <11.0.3. No vendor advisory URL provided in source data, but patch availability is confirmed in version 11.0.3.
Remediation
Immediate: upgrade HAX CMS PHP to version 11.0.3 or later, which contains the patch for input validation in `gitImportSite`. For organizations unable to immediately patch, implement network-level mitigations: (1) restrict access to HAX CMS authentication endpoints to trusted networks/VPNs only; (2) implement Web Application Firewall (WAF) rules to detect command injection patterns in POST parameters related to git import (looking for shell metacharacters like backticks, $(), |, &, ;, >, < in URL parameters); (3) disable git import functionality if not actively used; (4) monitor `proc_open` execution logs for suspicious command patterns. Long-term: ensure HAX CMS deployment restricts admin/import functionality to principle-of-least-privilege users only.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today